Authentication & Authorization

Overview

Cyoda Cloud provides a secure, OAuth 2.0-based authentication system designed for developers building applications that integrate with the Cyoda platform. This guide explains the authentication flow from user registration to API integration.

User Registration
Environment Setup and Provisioning
Technical User Creation
Authentication Flows
Security Features

User Registration

Prerequisites

Before using Cyoda Cloud, you must:

Review Legal Documents: Carefully read and understand the Terms & Conditions and Data Privacy Policy
Accept Compliance: Ensure full understanding and acceptance of all terms before proceeding

Registration Process

Access the AI Assistant: Navigate to the Cyoda Cloud web-based Single Page Application (SPA)
Choose Authentication Provider: Register using one of the supported providers:
- Google Auth: Sign up using your Google account
- GitHub: Sign up using your GitHub account
Complete Registration: Follow the Auth0 authentication flow to complete your account setup
Free Tier Access: Upon successful registration, you’ll be automatically enrolled in the Free Tier subscription

Free Tier Limitations

See Entitlements

Environment Setup and Provisioning

See Provision Environment

Connection

Your environment has several service endpoints, which are determined by your CAAS user ID.

Service	URL Pattern	Description
Cyoda UI	`https://client-<caas_user_id>.eu.cyoda.net`	Web interface for your Cyoda environment
HTTP API	`https://client-<caas_user_id>.eu.cyoda.net/api`	Base URL for REST API endpoints
gRPC	`grpc-client-<caas_user_id>.eu.cyoda.net`	gRPC service access endpoint
JDBC/Trino	`jdbc:trino://trino-client-<caas_user_id>.eu.cyoda.net:443`	Database query interface via Trino

Technical User Creation

Overview

You need a technical user to access your Cyoda Cloud API outside of the UI (Cyoda UI or AI Assistant). Technical users are machine-to-machine (M2M) clients authenticated using OAuth 2.0 client credentials flow.

Creation Process

Login Requirement: You must be logged into the AI Assistant
Request Technical User: Prompt the AI Assistant with your environment name and request to create a new technical user
```
Example prompt: "add new machine user"
```
Receive Credentials: The AI Assistant will provide:
- Client ID: Unique identifier for your technical user
- Client Secret: Secret key for authentication (shown only once)

Important Security Notes

One-Time Display: The client secret is shown only once during creation
Secure Storage: Store credentials securely in your application configuration
No Recovery: Lost secrets cannot be recovered; you must create a new technical user
Rotation: Regularly rotate credentials for enhanced security

Authentication Flows

OAuth 2.0 Client Credentials Grant

Cyoda Cloud implements the standard OAuth 2.0 Client Credentials Grant (RFC 6749) for machine-to-machine authentication. All service endpoints support this flow.

Security Features

JWT Tokens

Algorithm: RS256 (RSA Signature with SHA-256)
Expiration: 5 minutes
Issuer: Cyoda Ltd.
Claims: Include user ID, roles, and legal entity information

Tenant Isolation

Legal Entity Boundaries: Data and operations are isolated by legal entity
Multi-tenancy: Each organization operates in its own isolated environment
Access Control: Users can only access resources within their legal entity

Credential Management

Secure Generation: Client secrets use cryptographically secure random generation
BCrypt Hashing: Secrets are stored using BCrypt hashing
Rotation Support: Secrets can be rotated via API/gRPC call.

Authentication & Authorization

Overview

Table of Contents

User Registration

Prerequisites

Registration Process

Free Tier Limitations

Environment Setup and Provisioning

Connection

Technical User Creation

Overview

Creation Process

Important Security Notes

Authentication Flows

OAuth 2.0 Client Credentials Grant

Security Features

JWT Tokens

Tenant Isolation

Credential Management